Skip to content

Latest commit

 

History

History
78 lines (52 loc) · 3.89 KB

File metadata and controls

78 lines (52 loc) · 3.89 KB

Hacking for Web Application Developers (powered by OWASP Juice Shop)

In this hacking hands-on training, the most critical risks in web applications are presented to teach frontend and backend developers how to develop a secure web application.

After introducing the Open Web Application Security Project Top 10 2021 (OWASP Top 10 2021), a selection of the application security risks listed in the OWASP Top 10 will be described step by step.

alt owasp-top-10-2021

Almost every security risk of the selection has its own folder with certain challenges to solve. In this challenges, the participants of the course have to find various security flaws in the OWASP Juice Shop, which is an intentionally vulnerable web application. The descriptions of the challenges include tips to help finding the right way of hacking the application.

Always read at first only one hint, then try to solve the challenge. If you don't have a clue of going forward, then read the following tip.

IMPORTANT: It is recommended to do the security training in the right order, as the challenges might depend on each other.

Setup

OWASP Juice Shop

Follow the setup instructions on https://github.com/juice-shop/juice-shop#setup
(Installation using Docker Container recommended).

docker pull bkimminich/juice-shop:v14.2.1
docker run --rm -p 3000:3000 bkimminich/juice-shop:v14.2.1

Web Proxy

OWASP ZAP

Follow the setup instructions on https://www.zaproxy.org/download/.

Starting with version 2.8.0, OWASP ZAP includes a Heads Up Display. Look into the corresponding OWASP ZAP HUD github project to learn more about this fascinating feature.

REST API clients

Postman

To make calls to REST API of the Juice Shop via a comfortable UI you may use Postman.
Follow the setup instructions on https://www.postman.com/downloads.

Httpie

If you are more used to make calls to REST API of the Juice Shop via command line you may try Httpie.
Follow the setup instructions on https://httpie.org.

Curl

If you are more used to make calls to REST API of the Juice Shop via command line you also may try the classic Curl.
Follow the setup instructions on https://curl.haxx.se.

The Challenges

The challenges are categorized according to the OWASP Top 10 (2021) list.

Useful links